Harden Samples CI workflow for zizmor and add workflow linting

[DrisDary]

Motivation

PR #80 introduced the zizmor pre-commit hook for GitHub Actions security
linting, but had to exclude run-samples.yml (exclude: ^\.github/workflows/run-samples\.yml$)
to land a test-regression fix without first resolving the findings in that
workflow.

Since run-samples.yml is the only substantive workflow in this repo, that
exclude left zizmor scanning only the already-hardened pre-commit.yml —
effectively a no-op. This PR is the agreed follow-up: fix the actual findings,
remove the exclude so zizmor lints the workflow for real, and align the
repo's CI workflow-linting with localstack-pro.

Changes

.github/workflows/run-samples.yml — resolve all zizmor findings:

• Add top-level permissions: {} and grant each job only contents: read (excessive-permissions)
• Pin every action to a full commit SHA with a # vX.Y.Z comment (unpinned-uses)
• Set persist-credentials: false on both checkout steps (artipacked)
• Route github.event.inputs.run_mode, matrix.shard/matrix.splits, and
  runner.temp through step-level env instead of inline interpolation (template-injection)
• Quote $(lsb_release -rs) and $GITHUB_PATH in the MSSQL step (shellcheck, surfaced by actionlint)

.pre-commit-config.yaml:

• Remove the run-samples.yml exclude from the zizmor hook

.github/workflows/lint_workflows.yml (new):

• Add a dedicated workflow-linting job running actionlint + zizmor,
  mirroring localstack-pro for CI parity and shellcheck coverage on run: blocks
• SHA-pinned actions, least-privilege permissions, persist-credentials: false

Intentionally not copied from localstack-pro: its zizmor.yml (disables
excessive-permissions, which would undo the fix here) and its actionlint.yaml
(only declares self-hosted runner labels, irrelevant to GitHub-hosted runners).

Tests

Verified locally against all workflows (pre-commit.yml, run-samples.yml, lint_workflows.yml):

• actionlint (with shellcheck) — exit 0, no findings
• zizmor v1.25.2, default persona — "No findings to report"
• The real pre-commit hook (pre-commit run zizmor --all-files) — Passed

Related

• Follow-up to Add rule .env.* to .gitignore #80

[paolosalvatori]

@copilot please review the changes introduced in this PR and explained in the description field and provide suggestions and observations, if any.

[Copilot]

@copilot please review the changes introduced in this PR and explained in the description field and provide suggestions and observations, if any.

I reviewed the PR changes (run-samples.yml, lint_workflows.yml, and .pre-commit-config.yaml) and they look solid overall: least-privilege permissions, SHA-pinned actions, persist-credentials: false, and template-injection mitigations are all consistently applied.

One optional tightening you could consider: in lint_workflows.yml, check whether actions: read is actually required for the current steps. If not, you can remove it and keep only contents: read for stricter least privilege.

I don’t see any blocker-level issues.

[paolosalvatori]

LGTM (and Copilot), ship it! 🎉 P.S. Don't work in the middle of the night! 🌙

[paolosalvatori]

FYI @purcell